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ABSTRACT 



The present invention allows even small-size verification 
devices to authenticate rights and qualifications without 
leaking authentication characteristic information to third 
parties. A ticket issuance device computes document private 
information fi from a private function f of an interaction 
device owned by a user and document m to be transferred to 
the interaction device when generating interaction, and 
issues ticket t generated from authentication characteristic 
information x and the document private information u to the 
user. The interaction device, when document m is input, 
generates document private information using a private 
function f specific to the interaction device, and performs 
interaction based on the document private information. The 
interaction comprises output of commitment r, input of 
challenge %, output of response a, and message M output. 
The user converts interaction (r, %, M, a) into interaction (r, 
X, M, s) using ticket t to perform Guillou-Quisquater authen- 
tication. 

28 Claims, 12 Drawing Sheets 
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METHOD AND DEVICE FOR 
AUTHENTICATION 



BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to information security 
techniques, and more particularly, to a method and a device 
that make it possible to hide private information itself while 
providing system users with prover functions based on the 
private information in an authentication code system that 
founds safety on the difficulty of an annihilator determina- 
tion problem. 

2. Prior Art 

Decryption keys in the prior art public key cryptography, 
signature keys in signature, authentication keys in authen- 
tication are characteristic information for authenticating the 
holding of these pieces of private information. As an 
example, a description will be made of an authentication 
code system based on an authentication system proposed in 
"A practical zero-knowledge protocol fitted to security 
Microprocessor minimizing both transmission and 
Memory", Advances in Cryptology EUROCRYPT '88 
(Lecture Notes in Computer Science v.330), C. G. Guenther 
(ed.), Springer-Verlag pp. 123-128 by Guillou and 
Quisquater. 

FIG. 1 explains the flow of thee authentication code 
system. 

Let n be a composite number that is difficult to factor into 
prime factors, G be a multiplicative group (Z/nZ)* of a 
residue class ring of rational integers modulo n, p be a prime 
number that does not divide Carmichael function X(n) of n, 
R be a space of commitments, it be a function from G to R, 
C be a space of challenge, S be a space of message, $ be a 
mapping from a set-theoretic product CxS of C and S into 
F p (F p denotes the finite field of p-elements), IeG be a public 
verification information, and xeG satisfying Ix^l be an 
authentication characteristic information. 

A holder of characteristic information x can send any 
message MeS safely because pretending and tampering are 
prevented by performing the operation of a prover 200 as 
described below. 

(1) Generate a random number keG and send a commit- 
ment r=rt(k p ). 

(2) Compute an exponent C-<|>(x,M) by a given challenge 
/ and a message M to be sent and send the message M and 
a response s=kx c . 

Anyone who can know verification information I can 
verify the operation of the prover 200 by performing the 
operation of a verifier 100 as described below, and can 
assure himself that the prover 200 holds authentication 
characteristic information and a sent message is not tam- 
pered. 

(1) After the commitment r is given, send the challenge % 
generated at random to the prover 200. 

(2) Make sure that the given message M and response s 
satisfy the following relation. 

w(Sl«*"> [Expansion 2] 

These techniques are developed on the assumption that 
holders of the above-mentioned private information do not 
publicize it. Therefore, this allows ciphertext that can be 
decrypted by only persons holding these pieces of private 
information, signature that can be generated by only persons 



37,916 Bl 

2 

holding these pieces of private information, and authentica- 
tion that makes it impossible for others to impersonate the 
holders of these pieces of private information. 
Accordingly, the above-mentioned techniques can be used 

5 in only situations in which exposure of these pieces of 
private information is disadvantageous to the holders of 
them. A typical example of such situations is found in a case 
where the above-mentioned private information is held by 
only specific individuals and is characteristic information for 

aQ authenticating the individuals. 

In this case, the above-mentioned characteristic informa- 
tion plays a role similar just, to a home lock and an 
individual's seal. Practically, the construction of a lock and 
seal in the actual life as digital information can be easily 
implemented as a direct application of these cryptographic 

35 methods. For example, if a home lock is configured so that 
it is used as a verifier in the above-mentioned Guillou- 
Quisquater system and is unlocked only when the verifica- 
tion succeeds, the holding of authentication characteristic 
information x will be equivalent to the holding of a home 

20 lock. 

3. Problems of the Prior Art 

In contrast to the above-mentioned individual's home 
lock case where the exposure of authentication characteristic 
information is disadvantageous to the individual, there exist 

25 cases where the exposure is advantageous to the exposer. 
These are cases where an holder of characteristic informa- 
tion has the right and qualification to receive specific ser- 
vices. In these cases, an approach cannot be taken which 
distributes characteristic information representing rights and 

30 qualifications to persons having the rights and qualifications 
and verifies that they hold the characteristic information, as 
is the above-mentioned case of authenticating individuals. 
This is because the characteristic information is passed to a 
third party not having the rights and qualifications since the 

35 exposure of the characteristic information is not disadvan- 
tageous to the holder of them, so that an advantage can be 
illegally obtained from the third person. 

Hence, heretofore, three types of methods described 
below have been employed in place of authentication meth- 

40 ods employing the above-mentioned public key crypt- 
graphic techniques without modifications. 

(1) A first method is that individuals hold private charac- 
teristic information belonging to the individuals and a party 
to verify the holding of rights and qualifications holds 

45 individuals having the rights and qualifications and private 
characteristic information of the individuals. This method 
can be used for authentication of rights and qualifications 
since the leak of characteristic information would be disad- 
vantageous to individuals. 

50 (2) A second method is that individuals hold private 
characteristic information belonging to the individuals and a 
party to verify the holding of rights and qualifications holds 
individuals having the rights and qualifications and public 
information corresponding to private characteristic informa- 

55 tion of the individuals. This method can be used for authen- 
tication of rights and qualifications since the leak of char- 
acteristic information would be disadvantageous to 
individuals. 

(3) A third method is that a grantor of rights and quali- 
60 fications passes a signature created from characteristic infor- 
mation held by the grantor to a grantee of a right and 
qualification and a verifier authenticates the right and quali- 
fication by verifying the signature. An example of this 
method is found in "Online Cash Checks", Advances in 
65 Cryptology EUROCRYPT '89 (Lecture Notes in Computer 
Science v. 434), J. -J. Quisquater, J. Vandewalle (ed.), 
Springer-Verlag, pp. 288-293 by D. Chaum. 
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According to this method, a problem with the leak of 
characteristic information will not occur since a party to 
prove the possession of right and qualification has no 
characteristic information. 

However, with the first method, a verifier must hold a list 5 
of holders of right and qualification. This imposes the 
burden of storing and managing the list on the verifier, 
entailing a high-performance verification device. Also, since 
the verification device cannot be manufactured indepen- 
dently of the grantor of rights and qualifications, information 10 
must be exchanged at all times between the verification 
device and the grantor of rights and qualifications. 
Furthermore, since the verifier has individuals* characteris- 
tic information, individuals authenticated by this method 
will have a risk of the characteristic information being 15 
illegally leaked by the verifier. 

With the second method, a verifier must hold a list of 
holders of rights and qualifications. This imposes the burden 
of storing and managing the list on the verifier, entailing a 
high-performance verification device. Also, since the veri- 20 
fication device cannot be manufactured independently of the 
grantor of rights and qualifications, information must be 
exchanged at all times between the verification device and 
the grantor of rights and qualifications. 

With the third method, since distributed signature infor- 25 
mation can be used by anyone, its duplication must be 
prevented. This is achieved by a method of preventing 
duplicate use of a signature value. To be specific, all 
signature values once used for authentication are stored in 
the verifier so that the verifier can check that they are not 30 
duplicately used. However, to provide this function for the 
verifier entails a high-performance verification device. Also, 
all verification devices to authenticate the same rights and 
qualifications must share a list of signature values once used 
for authentication, and therefore information must be 35 
exchanged at all times among the verification devices. 

As described above, any of the three conventional meth- 
ods contains a serious problem, making it difficult to con- 
figure particularly a verifier with small-scale devices and 
software. 40 

On the other hand, the above-mentioned authentication 
method that uses characteristic information indicating rights 
and qualifications is advantageous in that the only task to be 
done by a verifier is to check to see whether characteristic 
information indicating rights and qualifications is held. 45 

As described above, the prior art has been a problem in 
that if a small-scale verification device is used to authenti- 
cate rights and qualifications, there may arise a risk of 
authentication characteristic information leaking to 
outsiders, while if the risk is to be eliminated, the verifica- 50 
tion device becomes large-scale. 

SUMMARY OF THE INVENTION 

As described above, an object of the present invention is 
to implement an authentication code technique which 55 
enables a small-scale verification device to authenticate 
rights and qualifications without authentication characteris- 
tic information leaking to outsiders. 

An authentication code technique of the present invention 
is based on: 60 

(1) an interaction device that generates document private 
information from a document, which is releasable 
information defined at ticket issuance, and makes inter- 
action based on the document private information, and 

(2) a ticket, which is releasable information generated 65 
from the document private information and authenti- 
cation characteristic information. 
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That is, according to the present invention, where p is a 
prime number, F is a p -element field, G is a finite Abelian 
group (described multiplicatively only for the purpose of 
fixing a notation. The present invention can also apply to 
groups customarily described additively, e.g., an elliptic 
curve, if it is difficult in point of computational complexity 
to obtain an annihilator) whose annihilator is difficult in 
point of computational complexity to obtain, R is a space of 
commitments, n is a mapping from G to R, and C is a space 
of challenges, S is a space of messages, <J) is a mapping from 
a set-theoretic product CxS of C and S into ? p , the following 
steps are executed in an interaction method by which 
commitment r is generated, and response a and message M 
are generated for document m and challenge %• 

(a) Step to generate nonreproducible private information 
keG at random 

(b) Step to compute commitment r=n (\f) 

(c) Step to compute document private information /4=f (m) 
with f as a private function with valued in G 

(d) Step to generate message M 

(e) Step to compute exponent C=<t>(x,M) 

(f) Step to compute response a»k/i c 

In this configuration, proof functions based on authenti- 
cation characteristic information can be distributed without 
disclosing the authentication characteristic information in 
public key cryptography. Hence, it has become possible for 
a plurality of individuals having no interest with each other 
to safely perform proving based on identical authentication 
characteristic information. This has been heretofore impos- 
sible. Since public key cryptography based on Guillou- 
Quisquater authentication is employed, zero knowledgabil- 
ity is proved. Moreover, messages can be safely transferred. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 shows the principle of an authentication method of 
the prior art. 

FIG. 2 shows an overall configuration. 

FIG. 3 shows the configuration of an interaction device. 

FIG. 4 shows the operation of :an interaction device. 

FIG. 5 shows the configuration of a ticket issuance device. 

FIG. 6 shows the operation of a ticket issuance device. 

FIG. 7 shows the operation of a ticket verification device. 

FIG. 8 shows the configuration of an interaction device. 

FIG. 9 shows the configuration of a ticket verification 
device. 

FIG. 10 shows the operation of an interaction device. 
FIG. 11 shows the principle of a proving method by use 
of ticket. 

FIG. 12 shows the configuration of an application 
example. 

FIG. 13 shows the configuration of an application 
example. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Prior to the description of embodiments, the usage mode 
of the present invention will be described briefly. 

FIG. 2 shows the configuration, of the overall configura- 
tion of the present invention. 

A ticket issuer issues an interaction device 300 charac- 
terized by a specific private function and distributes it to 
users. If the private function characterizing the interaction 
device, 300 were known to the users, the interaction device 
300 could be freely duplicated and tickets could be abused 
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beyond control of the ticket issuer. Accordingly, the private V p I 

function of the interaction device 300 can be protected g Abelian group whose annihilator is difficult in point of 

against even authorized holders of the interaction device 300 computational complex to determine 

trying to steal it. D ^ of commitmenls 

The interaction device 300 may also be configured, e.g., 5 . 

as a smart card (IC card). * a PP m S om 0 . . 

™ . . , . ' „ j j „ , , Mathematical concepts referred to hereinafter without 

The interaction device 300, when data m caUed a docu- bem lained ^ J t be lamed herein because all of 

ment is input, generates document private informaUon M them are fundamental. Refer to Encyclopedic Dictionary of 

using a private funcUon f specific to the interaction device Mathema , ics (Tlnrd Edition) edited by Mathematical Soci- 

300, and performs interact.on based on the document private 10 of j vubUshed by Iwanami Snolerjj p^ers, for 

information. example 

Interaction is performed in the following processes: Generally, an annihilator Ann(G) of Abelian group G, if 

(1) output of commitment r the operation of the group is described multiplicalively, is an 

(2) input of challenge x ideal of a rational integer ring Z defined by 

(3) output of message M and responses o 15 

The above interaction is nominally the same as that awi(g)-{a*Z;V£€G)s'-i} [Expression 4] 

performed by pro vers in Guillou-Quisquater authentication. . . , , . . 

FIG. 1 shows the flow of Guillou-Quisquater authentication. and smce L the L raUonal mte S er 15 a P™*** ldeal 

Documents are not only used to generate document pri- ? omam ' the above expression could be written as Ann(G)= 

vate information. For example, documents can be programs 20 12 bv a generating element Xe of Ann(G), where XZ is all 

and commands executable by the interaction device 300, and multiples of X. Determining an annihUator means finding a 

parameters for processing performed in or messages issued generating element XeZ of Ann(G). 

from the interaction device 300 to the prover 200 and to the Letting neZ be a composite number and G be a multipli- 

verifier 100. * cative group (Z/nZ)* of a residue class ring of a rational 

The issuance of ticket t by a ticket issuer in association 25 integers, modulo n, X-X(n) is established, where X(n) is a 

with authentication characteristic information x is imple- Carmichael function of n, and when n is a power of 2, the 

mented by distributing a function to generate interaction (r, following expression is satisfied: 

X, M, s) based on authentication characteristic information [Expression 5] 
to a user by a method described below. 

The ticket issuer uses the ticket issuance device 400 to 30 (l n _ 2 

compute document private information ft from a private _ I „ 

function f of the interaction device 300 owned by the user | " ~ 

and document m to be transferred to the interaction device ^ nf4 " * (2, 4 ^ 
when generating interaction, and issues ticket t generated 

from the authentication characteristic information x and the When n is a of m ^ ^ j^w^-i) ^ 

document pnvate information u to the user. a a e n r i 

The authentication characteristic information x and the & T > f , ?, f ^ tori2allon of 8™* ° 

document private information p are hidden from the user. £ P nme faCt0rS ' » least 00111111011 multl P le of 

The user generates interaction (r,x,M,o) by inputting the ^ ,. . , . . . . , 

specified document m to the interaction device 300 and uses Accordingly, if factorization of n into prime factors is 

the issued ticket t to transform the interaction (r, x, M, a) *o already known, smce the annihilator of G can be obtained by 

into interaction (r, x, M, s) based on authentication charac- polynomial time of log n, and conversely, if the generating 

teristic information associated with the ticket. element X of annihilator area is already known, by gener- 

When commands of processing for the interaction device aUn S a non trivial square root of 1, that is, g satisfying the 

300 are described in the document, interaction generation following expression, 

using a ticket is associated with the commands described in 45 

the document, whereby the effectivity of the ticket can be gcG;g€{\-\},^i [Expression 6] 

"To^specific, interaction can be transformed by com- n be facto /' d ^ P rime fa ^f ors b * probabilistic 

puting response s from challenge x, response a of the Polynomial time of log n, an annihilator determination 

interaction device, message M, and ticket t. problem in this case can be expected to be as difficult as a 

It will be described in an embodiment that the trans- 50 pnme factor factorization problem in point of computational 

formed interaction (r, %, M, s)is nothing but an interaction complexity. Letting pj and p 2 be mutually different odd 

generated by a prover of Guillou-Quisquater authentication prime numbers satisfying pj=p 2 =2 mod 3, n be equal to 

in FIG. 1. P1P2. b be an integer prime to n, E be an Abelian scheme 

Characteristic information x of authentication associated defined on Z/nZ by a homogeneous equation, 

with the ticket is generated independently of document 55 3 

private information p that is different for each of various r-JP+fcZ 3 [Expression 7] 

documents of each interaction device 300. ma( • sal ^f v 

A ticket issuer can distribute a function of interaction 

based on given authentication characteristic information x to £_ Pro j z/nZtxxzy^z-Jp-bZ 3 ), [Expression 8] 

users in the form of ticket in association with an arbitrary 60 

document without disclosing the authentication characteris- and G be a finite group E(Z/nZ) consisting of Z/nZ value 

tic information itself. points of E, then X is the least common multiple of p,+l and 

[Embodiment] p 2 +lt in which case the annihilator area determination 

[Basic Components] problem can also be expected to be difficult in point of 

In the present invention, [Expression 3] 65 computational complexity, 

the following are cryptographic basic components: K ma y be defined as, e.g., an identity mapping id:G— G or 

p prime number as h:G-»D using a hash function h. 
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A hash function is a function from which it is expected to where "J" denotes the concatenation of bits, 
be difficult in point of computational complexity to find Step [8] Use the message generation unit 309 to generate 
mutually different m and m' satisfying h(m)=h(m'); for message M and store it in the memory unit 302. 
example, MD5 by RSA Data Security Inc. and SHS (Secure Step [9] Use the $ computation unit 308 to compute expo- 
Hash Standard) by the U.S. Federal Government are well 5 nent C from the challenge / and message M stored in the 
known. memory unit 302 by the following expression and store 

When ic is an identity mapping the cost of computing re is the result in the memory unit 302: 
unnecessary. When xt is a hash function and the bit length 

required to express the element of D is smaller than the bit C-¥xW- [Expression 12] 

length required to express the element of G, this produces in „ rj „, „ . . „„ . „ 

the effect of reducing traffic. Ste P t 10 l Use the algorithm execution unit 305 in G to 

For example, for a composite number n of about 1024 bits compute response cr from the nonreproducible private 
that is difficult to factor into prime factors, if SHS is used as information k, document private information /i, and expo- 
rt letting G«(Z/nZ)*, the size of commitment r can be nent c stored in tne memory unit 302 by the following 
compressed down to 160 bits. Jfi expression and store the result in the memory unit 302: 

By the way, the bit length of p can be no more than 40 bits c 

for authentication of question-and-answer type and no more • [Expression 13] 

than 160 bits for signature, accounting for fast Guillou- «. Ml1 in™,*^™,*™,* „„;« ?m ♦ , ♦„„« ,u~ 

Quisquater authentication. Ste P ^ ' he m P ut ^ ut P ut ™« j 501 to output the 

rinteraction Device! message M and response a stored in the memory unit 302. 

FIG. 3 shows the configuration of an interaction device 20 Ste P ^ * no A alwa ^ squired depending on the appli- 

300. The interaction device 300 is mounted as a lamperproof nation. Accordingly, the interaction device 300 could also 

container and is characterized by a specific private function be configured without having the document processing 

before being distributed to users. The interaction device 300 umt 303 ; B y providing the document processing unit 303, 

can also be configured as a portable compact computation processing of the interaction device 300 can be changed 

device such as a smart card. The interaction device 300 25 for each interaction and a ticket described later can be 

comprises an input-output unit 301, a memory unit 302, a provided with numerous functions, 

document processing unit 303, a random number generation [Constraints of Operation Execution Order] 

unit 304, a G algorithm execution unit 305, a n computation Steps 1 to 11 need not always be performed sequentially 

unit 306, an f computation unit 307, a $ computation unit in this order. When the order relation that step "a" must be 

308, and a message generation unit 309. 30 executed before step "b" is represented by 

FIG. 4 shows the operation of the interaction device 300. 

Hereinafter, the operation of the interaction 300 will be a '~ b > [Expression 14] 

c. ril " t j * ■ c ■ , „ constraints of the execution order of the steps will be 

Step [1] Generate nonreproducible private information keG -described 

using the random number generation unit 304 and store it 35 

in memory unit 302. ^ i-»2-*3-»4 

Step [2] Use the algorithm unit 305 in G and the it compu- 
tation unit 306 to compute commitment r from the non- 5-*6,7 
reproducible private information k stored in the memory 4,8—9 
unit 302 by the following expression and store it in the ^ 

memory unit 302: 7,9-io—n [Expression 15] 
m rc is a constraint on execution order that must always be 

r*ji(V ). I Expression 91 . „ , * 

satisfied. 

Of course, when ji is an identity mapping, the it compu- When the operation of the document processing unit 303 

tation unit 306 is unnecessary, 45 influences other operations, a constraint of execution order 

Step [3] Use the input-output unit 301 to output the com- will further arise as described below. 

mitment r stored in the memory unit 302. [When G, p, and ji are Variable] 

Step [4] Use the input-output unit 301 to input challenge % When the document m defines G, 6-*2 is requested. This 

and store it in the memory unit 302. is true of a case where the interaction device is configured 

Step [5] Use the input-output unit 301 to input document m 50 so that parameters defining G are described in document m, 

and store it in the memory unit 302. the parameters are specified in step [6], and the algorithm 

Step [6] Use the document processing unit 303 and perform execution unit in G can perform computations according to 

processing suitable for the document m stored in the the specified parameters. 

memory unit 302. When the document m defines p, 6-*2 is requested. This 

Step [7] Use the computation unit 307 for a private function 55 is true of a case where the interaction device is configured 

f specific to the interaction device to compute document so that parameters defining p are described in document m, 

private information /«G from the document m stored in the parameters are specified in step [6], and the algorithm 

the memory unit 302 by the following expression and execution unit in G can perform computations according to 

store the result in the memory unit 302: the specified parameters. 

60 When the document m defines it, 6-*2 is requested. This 

[Expression io] is true of a case where the interaction device is configured 

The computation unit 307 of the fiinction f may be so that parameters defining G are described in _J ne document 

comprised of, e.g., the memory unit 302 for storing private m * lhe P arameter5 ■« specified w step [6], and the it 

information d specific to the interaction device and the compuUUon unit can perform computaUons according to the 

computation unit of the hash function h to compute 65 SP^ 6 " 1 parameters. 

In these examples, although G, p, and ji can be changed 

f{m)*h(d\m), [Expression ii] for each interaction, these can also be constructional! y fixed. 
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[Prior Execution of Power Computation] 

Herein, G, p, and n are assumed to be fixed. 

If a plurality of sets (k, r) of nonreproducible private 
information and commitment can be stored in the memory 
unit 302, since prior repeated executions of steps [1] and [2] 
in this order eliminate the need to generate commitment r 
immediately before challenge % is input, the interaction 
device requires less time for interaction. 

The only portion specific to each interaction device is a 
private function f and therefore the portion of generating 
commitment r can be separated and shared. 

FIG. 8 shows the configuration of an interaction device 
from which a power computation unit is separated. In this 
configuration example, the interaction device 300 is divided 
into a response generation unlit 310 and a commitment 
generation unit 311, and steps [1] and [2] are performed in 
the commitment generation unit 311. In FIG. 8, locations 
corresponding to FIG. 3 ares assigned the corresponding 
reference numerals. 

Nonreproducible private information k is transferred from 
the commitment generation unit 311 to the response gen- 
eration unit 310 by private communication. 

The response generation unit may also be configured as a 
smart card, 

[When Conditions of Response Generation are Variable] 

When the document m defines conditions for response 
generation, the conditions for response generation are speci- 
fied in the document m and processing is stopped if the 
conditions are not satisfied in step [6]. 

Specific examples of processing in accordance with the 
document m will be described. 

For example, conditions of challenge x t0 permit the 
generation of response are specified in the document m, and 
if the challenge x stored in the information memory unit 302 
does not satisfy the conditions in step [6], the interaction 
device 300 stops processing. 

Examples of conditions of challenge to permit the gen- 
eration of response will be described. A parameter for 
defining the expiration date of response generation is speci- 
fied in the document m, a specific bit field when challenge 
X is expressed as a bit string is regarded as the expression of 
current time, the expiration date and the current time are 
compared, and the interaction device 300 stops processing if 
the expiration date has elapsed. 

For example, the document processing unit 303 has a 
clocking unit to hold current time, a parameter for defining 
the expiration date of response generation is specified in the 
document m, the expiration date and current time are com- 
pared in step [6], and the interaction device 300 stops 
processing if the expiration date has elapsed. 

For example, the document processing unit 303 has a 
counter, a flag to define whether to decrement the value of 
the counter is specified in the document m, and when the flag 
indicates decrement operation in step [6], if a counter value 
is not 0, the counter value is decremented by 1; if 0, the 
interaction device 300 stops processing. 

For example, the document processing unit 303 has a 
counter, a value by which to decrement the counter is 
specified in the document m, and if the counter value is not 
smaller than the value to decrement in step [6], the counter 
value is decremented by the specified value; otherwise, the 
interaction device 300 stops processing. 

For example, the document processing unit 303 has a 
plurality of counters, pointers to define corresponding 
counters are specified in the document m, and if the value of 
the defined counter is not 0 in step [6], the counter value is 
decremented by 1; if 0, the interaction device 300 stops 
processing. 
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For example, the document processing unit 303 has a 
plurality of counters, pointers to define corresponding 
counters and a value to decrement are specified in the 
document m, and if the value of the defined counter is not 
5 smaller than the value to decrement in step [6], the counter 
value is decremented by the specified value; otherwise, the 
interaction device 300 stops processing. 
[When a Method of Generating Messages is Defined in a 
Document] 

10 The document m defines a method of generating mes- 
sages. This is true of a case where parameters for defining 
message generation are described in the document m, the 
parameters are specified in step [6], and the message gen- 
eration unit 309 generates messages according to the speci- 

15 fied parameters. 

Specific examples of processing in accordance with the 
document m will be described. 

The simplest case is found when a message M is deter- 
mined as a function of the document m. For example, a 

20 specific bit field in the document m is used as a message M. 
For example, conditions of challenge x to permit the 
generation of response are specified in the document m, and 
if the challenge x stored in the information memory unit 302 
does not satisfy the conditions step [6], the interaction 

25 device 300 stops processing. 

Examples of conditions of challenge to permit the gen- 
eration of response will be described. A parameter for 
defining the expiration date of response generation is speci- 
fied in the document m, a specific bit field when challenge 

30 x is expressed as a bit string is regarded as the expression of 
current time, the expiration date and the current time are 
compared, and the interaction device 300 stops processing if 
the expiration date has elapsed. 
For example, the document processing unit 303 has a 

35 clocking unit to hold current time, a parameter for defining 
the expiration date of response generation is specified in the 
document m, the expiration date and current time are com- 
pared in step [6], and the interaction device 300 stops 
processing if the expiration date has elapsed. 

40 For example, the document processing unit 303 has a 
counter, a flag to define whether to decrement the value of 
the counter is specified in the document m, and when the flag 
indicates decrement operation in step [6], if a counter value 
is not 0, the counter value is decremented by 1 and a flag 

45 (indicating whether the decrement operation has succeeded 
or not) stored in the message generation unit 309 is turned 
on; if the counter value is 0, the flag stored in the message 
generation unit 309 is turned off, and the message generation 
unit 309 generates a message as a set of the counter value 

50 and a flag value indicating whether the decrement operation 
has succeeded. 

For example, the document processing unit 303 has a 
counter, a value by which to decrement the counter is 
specified in the document m, and if the counter value is not 

55 smaHer than the value to decrement in step [6], the counter 
value is decremented by the specified value, the flag 
(indicating whether the decrement operation has succeeded 
or not) stored in the message generation unit 309 is turned 
on; if the counter value is smaller than the value to 

60 decrement, the flag stored in the message generation unit 
309 is turned off, and the message generation unit 309 
generates a message as a set of the counter value and a flag 
value indicating whether the decrement operation has suc- 
ceeded. 

65 For example, the document processing unit 303 has a 
plurality of counters, pointers to define corresponding 
counters are specified in the document m, and if the value of 
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the defined counter is not 0 in step [6], the counter value is xcG Authentication characteristic information where 

decremented by 1 and the flag stored in the message gen- authentication characteristic information x and verification 

eration unit 309 is turned on; if the value of the defined information I satisfy the following relation: 
counter is 0, the flag stored in the message generation unit 

309 is turned off and the message generation unit 309 5 

sru srsjML sa of ,hc value of ,he deflIKd t ,he ■-r. x ot r Ann (G) * 

c , :f° *, . . .. . known. If p is prime to X, since d satisfying 

ror example, the document processing unit 303 has a ' ° 

plurality of counters, pointers to define corresponding pd-\ mod k [Expression 18] 

counters and a value to decrement are specified in the 

document m, and if the value of the defined counter is not can be computed, for any verification information I, corre- 

smaller than the value to decrement in step [6], the counter spending authentication characteristic information x can be 

value is decremented by the specified value and the flag obtained as 

stored in the message generation unit 309 is turned on; if the f 

value of the defined counter is smaller than the value to JS *" [Expression l J 

decrement, the flag stored in the message generation unit Also, when p-2, if n is a Blum number in G-(Z/nZ)*, I 

309 is turned off and the message generation unit 309 can be defined almost arbitrarily. For details, refer to "How 

generates a message as a set of the value of the defined to prove yourself: practical solutions to identification and 

counter and the flag value. signature problems", Advances in Cryptography CRYPTO 

[Document Processing and Other Examples] '86 (Lecture Notes in Computer Science v. 263), A. M. 

For example, the document processing unit 303 has a 20 Odlyzko (ed.), Springer- Verlag, pp. 186-194 by Fiat and 

counter, a value to increment is specified in the document m, Shamir. 

and the counter value is incremented by the specified value FIG - 5 shows the configuration of a ticket issuance device , 

in step [6]. a °d FIG- <* shows the operation of the ticket issuance device. 

For example, the document processing unit 303 has a ^ licket i&wxux device 400 comprises an input-output 

plurality of counters, pointers to define corresponding 25 umt 401 a memory unit 402, a G algorithm execution unit 

to increment are specified in the I 03 ' ™ d ™ f imputation unit 404 Hereinafter, the opera- 



tion of the ticket issuance device 400 will be described. 



counters and a value to increment are specified 

document m, and the value of the defined counter is incre- rn ?t .u * . , am . ■ . . 

mented by the specified value in step [6]. [1] . Use he . umt 40 J to "P* authcntic^on 

For example, the document processing unit 303 has a 3Q ^k^ 1 ™ X ^ " " ^ mem ° ry 

clocking unit to hold current time and a unit to hold history r » 11T . . t AM t . - . . 

information, a flag to define whether to record history is [2] f Use ' he un *., 4 2J, to mpUt d0CUmenl m and 

specified in the document m, and if the flag indicates the m S * rc * m ^/n™* . 

recording of history, a tuple of the current tinfe stored in the P]. Ua f he m P ut -° ut P ut JJJ 401 to input the .dennficr U of 

clocking unit and the document m is stored in the history „ ^ teractl0n device 300 *>" it m the memory umt 

[BT c rPr^ing of a Plurality of Documents] [4] Use fi th f com P utatio . 11 u f 404 °l a P rivate ^tionf 

In the example! described above, only one document m is ?f ^ t0 ™ Z 3 °° "T^ * 

involved in one interaction, but a construction can also be f ntlfier t U St0I f m F the memor y umt oom P ute 

„ , „ „,,.„! t „ „ f j „ , „ ■ document private information u from the document m 

made so that a plurality of documents m,. .., m« can be Jn t , • (I f •. AM 7 iU e u • 

involved stored in the memory unit 402 by the following expres- 

cm m u .u *■ e • . j , sion and store the result in the memory unit 402: 

MG. 10 shows the operation of an interaction device that 3 

performs batch processing for a plurality of documents. [Expression 20] 

When a plurality of documents is to be handled in one 

interaction, steps [5] to [7] have to be replaced by the 45 [5] Use the algorithm execution unit/403 in G to compute 

following steps [10] to [12]. ticket t from the authentication characteristic information 

Step [10] Use the input-output unit 301 to input documents x and document private information jU stored in the 

mi, . , . , % and store them in the memory unit 302. memory unit 402 by the following expression and store 

Step [11] Use the document processing unit 303 and perform the result in the memory unit 402: 

processing sequentially in accordance with the documents 

m Sf ...,m N stored in the memory unit 302. 0 [Expression 21] 

Step [12] Use the computation unit 307 of a private function [6] Use me m ^ m to ^ ^ ^ 

f specific to the interaction device to compute document iQ ^ memorv un [ t 492 

private informaUon^G fromtoe documents m 1 m„ ^ dvatc f s dfic tQ ^ interactioD dcvice 

stored in the memory unit 302 by the following expres- 55 300 for e ^ as dcscrihcd in the of u 

sion and store it in the memory unit 302. ^ devio6( may also be computed as f(m)-h(d|m) using 



J4mf{m 1 . . /(m y ). [Expression 16] 



private information d specific to the interaction device 300 
and a hash function h. 



Of course, when a plurality of documents are to be The private information d specific to the interaction 
handled in one interaction, care must be taken so that there 60 device 300 may also be generated at random by, e.g., a ticket 

is no conflict among the execution results of processing for issuer so that a tuple (U,d) with the identifier U of the 

each document m ( .. interaction device is stored. 

[Ticket Issuance Device] Using private information D of a licket issuer, the private 

The ticket issuance device 400 uses the following authen- information d specific to the interaction device 300 may also 

tication information I and authentication characteristic infor- be generated to satisfy the following expression where U is 

mation x me identifier °f tnc interaction device 300: 

ItG Verification information [Expression 17] d-U\D. [Expression 22] 
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<t-h(U\D) 



because the interaction device 300 need not hold D and it is 
difficult to obtain D from d because of the one-way nature 
of the hash function. 

The document m can afford any values that can become 
input values of the private function f. 

Further, the document m may also describe processing to 
be performed by the document processing unit 303 of the 
interaction device 300 as described in the section of an 
interaction device. 

Further, the document m may also describe information to 
identify tickets. 

For example, a provider's identifier, the identifier of 
service provided by a ticket, a sequential ID assigned in the 
order of ticket issuance may also be included in the docu- 
ment m. 

A ticket issuer, for example, can also manage authentica- 
tion characteristic information x and an identifier thereof to 
include the identifier in the document m. 

For example, values determined from public information 
I corresponding to authentication characteristic information 
x may also be included. 
[Method of Synthesizing Ticket] 

Here, let G, p, and n be common to the system and the 
interaction device 300 correspond to a plurality of docu- 
ments. 

Let tj, . . . ,tjveG be tickets generated for the interaction 
device 300 having a specific private function f and I^eG be 
verification information corresponding to each ticket t; when 

A synthesized ticket t corresponding to synthesized veri- 
fication information . . . \ N can be generated as the 
following expression. 

Wi ■ . . [Expression 24] 

Document m, corresponds to ticket t { and authentication 
characteristic information x, corresponds to verification 
information 1^ That is, letting I/x/'-l, since document pri- 
vate information ^-f(m^) is 

Mrti'^i, [Expression 25] 

letting x-Xj . . . x^, x is authentication characteristic 
information corresponding to synthesized verification infor- 
mation I, that is, Ix^-l, and document private information 
/i=f(mj) . . . ^m^) satisfies the following expression. 



14 



However, generating d in this manner has the problem that 
the private information D of the ticket issuer may leak when 
the tamper-proof capability of the interaction device col- 
lapses. 

It is more desirable that a hash function h is used to 
generate d as 



[2] Use the interaction device 300 to obtain message M and 
response a corresponding to document m and challenge x- 

[3] Compute exponent C from challenge % and obtained 
message M by the expression C=4>(/,M). 

[4] Compute response s from ticket t, exponent C, and 
obtained response a by the following expression. 



[Expression 23] 



s-fo. 



[Expression 27] 



10 



At this lime, (r,x,M,s) satisfies the following expression. 



[Expression 28] 



In this way, without telling the user the authentication 
characteristic information x, by using the interaction device 
300 and ticket t, a prover function shown in FIG. 1 for 
15 verification information I can be distributed. 

Since a verifier corresponding to the prover is exactly the 
same as that in the conventional example shown in FIG. 1, 
the verification device needs only the verification informa- 
tion I, so that a great number of users can be authenticated 
20 simply with an extremely small device. [Flat-Shamir 
authentication] 
Particularly when p=2, 



p-r l x. 



[Expression 26] 



[Proof Method by use of Ticket] 

FIG. 11 shows the operation of a proof method by use of 
ticket. 

Hereinafter, a description will be made of a proof method 
by use of ticket and an interaction device. 

Assume that a user has an interaction device characterized 
by a private function f, and document m and ticket t that 
satisfy t-xfi^m) -1 . 

Commitment r, and message M and response s for chal- 
lenge x arc generated in a way described below. 
[1] Use the interaction device 300 to obtain commitment r. 



[Expression 29] 



25 is satisfied; the relationship of so-called Fiat-Shamir authen- 
tication is satisfied. 

In this way, without telling the user the private informa- 
tion x, by using an interaction device and ticket t, the prover 
function of Fiat-Shamir authentication for verification infor- 
30 mation I can be distributed. 

For details of Fiat-Shamir authentication, refer to "How to 
prove yourself: practical solutions to identification and sig- 
nature problems". 

[Guillou-Quisquater Authentication] 

35 Particularly, when p is prime to the generator x of an 
annihilatorof G, it means that a user has behaved as a prover 
of Guillou-Quisquater authentication. 

In this'way, without telling the user the private informa- 
tion x, by using an interaction device and ticket t, the prover 

40 function of Fiat-Shamir authentication for verification infor- 
mation I can be distributed. 
[Ticket Verification device] 

FIG. 9 shows the configuration of a ticket verification 
device and FIG. 7 shows the operation of a ticket verification 

45 device. 

A ticket verification device verifies tickets by interacting 
with an interaction device. The ticket verification device 500 
comprises an input-output unit 501, a memory unit 502, a 
random number generation unit 503, a G algorithm execu- 
50 Hon unit 504, a it computation unit 505, and a $ computation 
unit 506. 

Hereinafter, the operation of the ticket verification device 
500 will be described. 

The ticket verification device 500 stores verification infor- 
55 mation I and ticket t in the memory unit 502. 

[1] Use the input-output unit 501 to input commitment r and 

store it in the memory unit 502. 
[2] Use the random number generation unit 503 to generate 

challenge x and store it in the memory unit 502. 
60 [3] Use the input-output unit 501 to output the challenge x 

stored in the memory unit 502. 
[4] Use the input -output unit 501 to input message M and 

response o and store it in the memory unit 502. 
[5] Use the computation unit 506 to compute exponent C 
65 from the challenge x and message M stored in the 

memory unit 502 as C-<Kx,M), and store the result in the 

memory unit 502. 
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[6] Use the algorithm execution unit 504 in G, and if 
necessary the k computation unit 505 to compute 



[Expression 30] 



from C, 0, I, and ticket t stored in the memory unit 502, and 
store the results in the memory unit 502. 

If ji is an identity mapping, the n computation unit is not 
required. 

r' may be computed as e.g., r'-^tl)' 7 ^). , 
[7] Compare r with r* stored in the memory unit 502. 

If ticket t corresponds to document private information p 
and authentication characteristic information x, 



[Expression 31] 



is satisfied and, in interaction based on document private 
information //, (r,xM,o) satisfies 



r-k. 



and 



[Expression 32] 



25 



Accordingly, in interaction between the interaction device 
300 satisfying ^-fj(m) where f is a private function, and the 
verification device 500, r=r' is satisfied. 
[For a Variable Number of Tickets] 

Herein, a description will be made of a configuration in 
which tickets are input to the input-output unit 501 and the 
input tickets are stored in the ticket memory unit 502. 

Prior to steps [1] to [6], the ticket verification device 500 
performs the steps described below. 
[8] Use the input-output unit 501 to input ticket t and store 

it in the memory unit 502. 

This configuration permits verification of a plurality of 35 
tickets. 

When space of commitments R and space of challenges C 
are equal and a function to generate an exponent, which uses 
a hash function h, satisfies 



[Expression 33] 



then, letting challenge % be commitment r itself, that is, 
letting x-r, for interaction succeeding in verification, signa- 
ture (M,R,s) may be stored as a verification history in the 
memory unit. 

This configuration makes it possible to prove to a third 
party that ticket authentication has been surely performed. 

Of course, a verification expression used by the third party 
to verify signature (M,R,s) is 



[Expression 34] 



[Application Example: Membership Card] 

A description will be made of an example of application 
of the interaction device 300 and the prover function by use 
of ticket having been heretofore described to actual appli- 
cative aspects. 

An example of application to membership cards will be 
described using FIG. 12. In this application example, 
authentication characteristic information x is made to cor- 
respond with service, a ticket provides a qualification for 
using the service, and a message transferred during proof 
contains the service name and an identifier as a service user, 
that is, a member's ID code. 

A ticket in this application example implements by a bit 
string a membership card or the like usually implemented by 
a plastic card or the like. 



A ticket issuer is a service provider and a membership 
card verification device 1000 is composed of: 

(1) smart card reader 510 

(2) membership number display unit 511 

5 (3) ticket verification device 500 implemented as a program 
burnt into a ROM within the smart card reader. 
The display unit 511, when ticket verification succeeds, 
displays a transferred message, i.e., a member's ID code, 
and gives an error indication when ticket verification fails. 
10 The smart card reader 510 has a slot for inserting a smart 
card to communicate with the smart card. 

Assume that a service user owns a smart card 2000 
composed of a ticket memory unit 312, a document memory 
unit 313, and an interaction device 300. 
15 The service user, when making member registration, 
presents the identifier of his interaction device 300 to have 
a ticket corresponding to the interaction device 300 issued, 
and inputs it along with a document to the smart card 2000, 
for example. 

20 A document is composed of a field to represent a service 
name (e.g., "Xerox Club") and a field to represent a mem- 
ber's ID code (e.g., "0017 257 65537"). 

When using the service, the user inserts the smart card 
2000 into the membership card verification device 1000 to 
perform ticket authentication. 

Herein, a construction is made so that messages generated 
by the interaction device 300 are documents themselves. 

If an input part different from the smart card reader 510 
within the membership card verification device 1000 is 
30 provided to input tickets and documents, tickets and smart 
cards need not necessarily be stored in the smart card 2000. 

For example, a user carries a smart card 2000 comprising 
only an interaction device 300 and may store tickets and 
documents in portable information equipment different from 
the smart card 2000 or store them in a home PC to obtain 
them using portable communication equipment as. required. 

A ticket need not always be issued at the time of member 
registration; it can also be replaced by a plastic membership 
card already held by the user. 
40 A ticket issuer may be provided independently of a 
service provider so that the service provider commits the 
issuance of tickets to service users to the independent ticket 
issuer. 

If a ticket issuer is provided independently, since tickets 
corresponding to various services can be issued to a single 
interaction device 300, users can hold a plurality of mem- 
bership cards and the like exactly only as electronic infor- 
mation if only the users have the only interaction device 300. 
[Application Example: Prepaid Card] 

Next, an example of application to prepaid cards will be 
described referring to FIG. 13. 

In this application example, authentication characteristic 
information x is made to correspond with service, a ticket is 
a prepaid card used for the service, and a message trans- 
ferred during proving contains information about success or 
failure of withdrawal from the prepaid card and balance 
information of the prepaid card. 

A ticket issuer is a service provider and a prepaid card 
handling device 1500 is composed of: 
60 (1) smart card reader 510 

(2) withdrawal amount input unit 512 

(3) display unit 513 

(4) PIN input unit 514 

. (5) ticket verification device 500 implemented as a program 
65 burnt into a ROM within the smart card reader. 

The smart card reader 510 has a slot for inserting a smart 
card 2000 to communicate with the smart card 2000. 



45 



50 



55 



09/28/2004, EAST Version: 1.4.1 



US 6,567 

17 

The withdrawal amount input unit 512, comprised of e.g. 
ten-keys, is used to input a withdrawal amount. 

The display unit 513 displays a withdrawal amount input 
in the withdrawal amount input unit 512, then if ticket 
authentication succeeds, displays a transferred message, that 5 
is, information about success or failure of withdrawal and a 
balance of the prepaid card; otherwise, it gives an error 
indication. 

The PIN input unit 514, composed of e.g. ten-keys, is used 
for PIN input by users. io 

Assume that a service user owns a smart card 2000 
composed of the ticket memory unit 312 and the interaction 
device 300. 

The service user, when purchasing a prepaid card, pre- 
sents the identifier of his interaction device 300, PIN to be is 
associated with the prepaid card, and a face value of the 
prepaid card to have a ticket corresponding to the interaction 
device 300 issued, and inputs it to e.g. his own smart card 
2000 and sets the face value information of the prepaid card 
in a counter of the interaction device 300. 20 

A document composed of a field to represent a service 
name (e.g., "Xerox Store") and a field to represent PIN (e.g., 
"0917"). 

When using the service, the user inserts the smart card 
2000 into the prepaid card handling device 1500 to perform 25 
ticket authentication. 

The smart card reader 510 obtains the ticket stored in the 
smart card 2000, sets it in the ticket verification device 500, 
and starts interaction, 

A withdrawal amount (e.g., 350 yen) input in the with- 30 
drawal amount input unit 512 is embedded in a specific bit 
field of a challenge sent from the ticket verification device 
500, and a service name (e.g., "Xerox Store") and PIN (e.g., 
"0917'*) input from the PIN input unit 514 together are input 
to the interaction device 300 as a document. 35 

The message generation unit 309 (FIG. 3) of the interac- 
tion device 300, if a withdrawal amount embedded in the 
challenge is not greater than a counter value (e.g., 2000 yen), 
decrements the counter value by the withdrawal amount 
(that is, 1650 yen) and generates a withdrawal success 40 
indication ("OK") and a counter balance (1650 yen) as a 
message. If the withdrawal amount is greater than the 
counter value, the message generation unit 309, without 
decrementing the counter, generates a withdrawal failure 
indication ("NG") and a counter balance as a message. 45 

The ticket verification device 500 verifies a sent message, 
and in the case of withdrawal failure, for example, with- 
draws only a card balance from the card to have the user pay 
a differential amount in cash. 

As described hereinbefore, the. present invention can 50 
distribute proof functions based on authentication charac- 
teristic information without disclosing the authentication 
characteristic information in public key cryptography. 
Hence, it has become possible for a plurality of individuals 
having no interest with each other to safely perform proving 55 
based on identical authentication characteristic information. 
This has been heretofore impossible. This fact makes it 
possible to associate a ticket not necessarily belonging to 
individuals in nature with authentication characteristic infor- 
mation in public key cryptography without modification and 60 
the verification side of the ticket can perform authentication 
simply by determining whether the ticket is true or false 
according to a disclosed procedure based on disclosed 
unique verification information, so that the burden on the 
verification side can be remarkably reduced. Also on the part 65 
of the user to prove the holding of the ticket, the above- 
described characteristic of the verification side is advanta- 
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geous in that the fairness of the verification side can be 
confirmed and individuals are not located (because authen- 
tication characteristic information not belonging to individu- 
als participates in verification) to verify the ticket. Moreover, 
to the user, a ticket and an interaction device are black boxes 
understandable only to a ticket issuer, and if the ticket is 
input to the interaction device, it cannot be assured that a 
covert channel not concerned in implementing the authen- 
tication method does not exist, whereas, in the present 
invention, information transfer to the interaction device is 
implemented as a document which permits the user full 
interpretation but will not impair the safety of the protection 
side, and a ticket as a black box is not input to an interaction 
device as a black box. 

The present invention employs Guillou-Quisquater 
authentication as base public key cryptography. The 
Guillou-Quisquater authentication is proved by Guillou and 
Quisquater as to zero knowledgability by "A 'paradoxical' 
identify-based signature scheme resulting from zero- 
knowledge", Advances in Cryptology CRYPT '88 (Lecture 
Notes in Computer Science v. 403), S. Goldwasser (ed.), 
Springer- Verlag, pp. 216-231 by Guillou and Quisquater. 

What is claimed is: 

1. An authentication method by which a commitment r is 
generated, a response s and a message M are generated for 
a document m and a challenge x, and an authentication is 
performed based on verification information IeG, the com- 
mitment r and the response s, G is a finite Abelian group 
whose annihilator is difficult to point of computational 
complexity to obtain, R is a space of commitments, ji is a 
mapping from G to R, C is a space of challenges, and S is 
a space of messages, the authentication method comprising: 

(a) generating a p-element field F p where p is a prime 
number; 

(b) generating a mapping <(> from a set-theoretic product 
CxS of C and S into the p-element field F p ; 

(c) generating nonreproducible private information kcG at 
random; 

(d) computing the commitment r-^k^); 

(e) computing document private information /*-f(m) with 
f as a private G-valued function; 

(f) generating the message M; 

(g) computing an exponent C-<|)(x f M); 

(h) computing a response o=k/* c ; 

(i) computing the response s=t c o; and 

(j) verifying that the generated response s satisfies r-n 

(s^n 

2. An authentication device that generates a commitment 
r, generates a response s and a message M for a document 
m and a challenge x, and performs an authentication based 
on verification information IeG, the commitment r, and the 
response s, G is a finite Abelian group whose annihilator is 
difficult to point of computational complexity to obtain, R is 
a space of commitments, ji is a mapping from G to R, C is 
a space of challenges, and S is a space of messages, the 
authentication device comprising: 

(a) a part that generates a p-element field F p where p is a 
prime number; 

(b) a part that generates a mapping $ from a set-theoretic 
product CxS of C and S into the p-element field Fpj 

(c) a part that generates nonreproducible private informa- 
tion kcG at random; 

(d) a part that computes the commitment r-jt(k^; 

(e) a part that computes document private information 
/*-f(m) with f as a private G-valued function; 
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(f) a part that generates the message M; (a) a part that holds specific private information d; and 

(g) a part that computes an exponent C=$(xM); (b) a part that computes a hash function h, 

(h) a part that computes a response a=kfi c ; wherein document private information ft is computed 

(i) a part that computes the response s=t c a; and using a hash function h from specific private informa- 
(j) a part that verifies that the generated response s 5 tion d and document m. 

satisfies r-j^sPI* 7 ). 15. The interaction device according to claim 11, further 

3. An interaction method by which a commitment r is comprising a part that performs processing according to 
generated, a response o and a message M are generated for document m. 

a document m and a challenge x» Fp is a p-element field 16. The interaction device according to claim 15, wherein 

where p is a prime number, G is a finite Abelian group whose 30 document m defines at least part of G, p, and re. 

annihilator is difficult to point of computational complexity 17. The interaction device according to claim 15, wherein 

to obtain, R is a space of commitments, k is a mapping from document m defines conditions for generating response. 

G to R, C is a space of challenges, and S is a space of 18. The interaction device according to claim 15, wherein 

messages, the interaction method comprising: document m defines messages to be generated. 

(a) generating a p-element field F p where p is a prime 15 19 ■ A ticket issuance method by which ticket teG is 
number; generated for document m and an interaction device having 

(b) generating a mapping $ from a set-theoretic product a s P ec inc private function f set forth in claim 11 when 
CxS of C and S into the p-element field F ; authentication characteristic information xeG corresponding 

(c) generating nonreproducible private information keG at , n to vacation information UG satisfies Ix"-1, said ticket 
random- issuance method composing the steps of: 

(d) computing the commitment r=re(kO; ^ ^P^ng document private information /i=f(m); and 

(e) computing document private information /4~f(m) with ( b ) computing ticket t-x^cT 1 . 

f as a private G-valued function; 20. ^ ticket issuance method according to claim 19, 

(f) generating the message M; 25 wherein document m depends on authentication character- 

(g) computing an exponent C=<Kx>M); and m ° ™fo™«lion x. 

Z( , c 21. ilie tic ket issuance method according to claim 19, 

W computing ;a response , _ wherein document m contains information for identifying 

4. The interaction method according to claim 3, wherein amhentication characteristic information x. 

. . lL , ,. m 22. The ticket issuance device according to claim 19, 

5. Ine interaction method according to claim 3, wherein 30 „,u- ♦ • * .u *• t. * ■ .* • c 

. , * . ' wherein, to input authentication characteristic information x, 

p is prune to a generator >^ of the annihilator of G. A „ . , • c *■ c a • • . <• 

r , L . . * j . . . _ , document m, and information for identifying an interaction 

o. The interaction method according to claim 3, wherein A - t „ „ t . , „ . j i * • j 

n . ,,. r (r7t i- j , • r device to output ticket t, said ticket issuance device com- 

G is a multiplicative group (Z/nZ)* of a residue class ring of or ise S - 

a rational integers, modulo a composite number n. , ' , , . „ 

7. The interaction method according to claim 3, wherein 35 ( a ) * P a * mputs and outputs information; 
G is a group E (Z/nZ) comprising points each having a value ( b ) a P art that stores information; 

in Z/nZ of a group scheme E on the residue class ring Z/nZ (c) a part that computes specific private information f; and 

of rational integers, modulo a composite number n. (d) a part that executes an algorithm in G. 

8. The interaction method according to claim 3, wherein 23. A ticket synthesis method by which synthesized ticket 
ji is an identity mapping. 40 t corresponding to synthesized verification information 

9. The interaction method according to claim 3, wherein I— I a ... 1^ is generated as t— tj . . . l N , where I„ t 1( . . . , 1^, 
ji is computed using a hash function. t^ are verification information l t <G set forth in claim 19 and 

10. The interaction method according to claim 3, wherein ticket t^cG corresponding to an interaction device having a 
$ is computed using a hash function. specific private function f. 

11. The interaction method for a device that conducts the 45 24. The interaction device according to claim 11, wherein 
interaction set forth in claim 3, wherein to output the document private information f^K m i) • • • K m N) is com- 
commitment r, input the document m and the challenge x. puted for a plurality of documents m lf . . . rny. 

and output the response o and the message M, the interac- 25. A proof method by which the commitment r is 

tion device comprises: generated using an interaction device according to claim 19 

(a) a part that inputs and outputs information; 50 and the ticket t and the document m for verification infor- 

(b) a part that stores information; mation I and the message M and the response s are generated 

(c) a part that generates random numbers; for tne challenge % so that they satisfy r-^sT*^* 0 ), the 

(d) a part that executes an algorithm in G; P roof method comprising: 

(e) a part that computes re if necessary; 55 ( a ) obtaining commitment r using the interaction device; 

(f) a part that computes a specific private function f; ( b ) obtaining the message M and the response a corre- 

(g) a part that generates messages; and sponding to the document m and the challenge % using 

(h) a part that computes <fr. me infraction device; 

12. The interaction device according to claim 11, wherein ( c ) computing the exponent C=$(xM); and 
internal execution processing processes are difficult to 60 (d) computing the response s-t c o\ 

observe from outside the interaction device. 26. A proving device that holds the ticket t and the 

13. The interaction device according to claim 11, wherein document m, outputs the commitment r by communicating 
said interaction device is configured as a portable compact with the interaction device in claim 25, inputs the challenge 
computation device such as an IC card. X» 40(1 outputs the message M and the response s, the 

14. The interaction device according to claim 11, wherein 65 proving device comprising: 

the part that computes a specific private function f com- (a) a part that inputs and outputs information; 

prises: (b) a part that stores information; 
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(c) a part that executes an algorithm in G; and 

(d) a part that computes 

27. A method for verifying the ticket t for verification 
information I in claim 19, comprising: 

(a) obtaining the commitment r; 

(b) generating the challenge x randomly; 

(c) obtaining the message M and the response a; 

(d) computing an exponent Oij^M); and 

(e) confirming that a relational expression r-Jt((t c a) p I c ) 
or a relational expression equivalent to this relational 
expression is satisfied. 

28. A ticket verification device that executes verification 
in claim 27, wherein, to hold the verification information I 
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and the ticket t, input the commitment r, output the challenge 
X, input the message M and the response a, and verify 
legitimacy, the ticket verification device comprises: 

(a) a part that inputs and outputs information; 

(b) a part that stores information; 

(c) a part that generates random numbers; 

(d) a part that executes an algorithm in G; 

(e) a part that computes x if necessary; and 

(f) a part that computes 

* * * * * 
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